About CVE-2017-9525
Alex Murray
alex.murray at canonical.com
Tue Mar 23 00:56:25 UTC 2021
Hi,
As noted in the CVE listing at *1 this vulnerability is within the
postinst script within the cron package - however the diff you refer to
in *3 is a change within the cron source code itself - and so the
postinst script still contains this issue in the version within Ubuntu
18.04 LTS and hence this is not currently fixed.
However, as also noted in the CVE listing, this is mitigated by kernel
symlink restrictions[4] which are enabled by default on all Ubuntu
releases - as this would stop an unprivileged user creating a symlink
within the crontabs directory and hence using this for privilege
escalation. Finally, also also noted in the CVE listing since this
vulnerability is in the postinst script, and this script is only run at
package install time, the only chance to exploit this is if a new cron
package were to be installed or reinstalled. And so this is only likely
to happen if an update to the cron package is released.
As such, in general this vulnerability is of little consequence as it
currently stands for Ubuntu. However, if the cron package is updated for
some other vulnerability, the security team also plans to update it to
remedy this vulnerability as well.
Finally, the ubuntu-motu list is probably not the best place to raise
these sorts of concerns - in general, feel free to either use the
ubuntu-hardened mailing list[5] or email security at ubuntu.com directly to
reach the security team.
Thanks,
Alex
[4] https://wiki.ubuntu.com/Security/Features#symlink
[5] https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
On Mon, 2021-03-22 at 23:27:12 +1030, 佐々木将信 wrote:
> Hi team ,
>
> I may have found a miss leading advisory about CVE-2017-9525 on your web
> site*1.
> The status of the vulnerability is still “needed” on Ubuntu 18.04 LTS
> (Bionic Beaver) .
> However, this is already fixed in version “3.0pl1-128.1ubuntu1” .
>
> This vulnerability might be regarding maintenance script(such as posttest
> ) when I see Debian’s fixing *2.
> If it is, Ubuntu cron seems to be fixed at above version considering
> diffs on the version .*3
>
> I apologize if I don’t follow reporting rules and if I mistake.
>
> *1
> https://ubuntu.com/security/CVE-2017-9525
>
> *2
> https://salsa.debian.org/debian/cron/-/commit/a10ab4e346e941aaa92f4b671a96895392b917af
> <https://salsa.debian.org/debian/cron/-/commit/a10ab4e346e941aaa92f4b671a96895392b917af>
>
> *3 (around line 2992)
> https://launchpadlibrarian.net/345982798/cron_3.0pl1-128.1ubuntu1.diff.gz
> <https://launchpadlibrarian.net/345982798/cron_3.0pl1-128.1ubuntu1.diff.gz>
>
>
> Best regards --
> Ubuntu-motu mailing list
> Ubuntu-motu at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
More information about the Ubuntu-motu
mailing list